Introduction
A significant cryptojacking campaign has been identified, targeting users of Visual Studio Code (VSCode) through malicious extensions. These extensions [1] [2] [3], which have been downloaded extensively, are part of a coordinated effort to facilitate cryptomining operations using the XMRig cryptominer.
Description
An unknown threat actor is executing a large-scale cryptojacking campaign using malicious extensions in Visual Studio Code (VSCode) [3], with at least ten extensions identified as harmful [3]. These extensions [1] [2] [3], published on April 4, 2025 [1], by various authors, primarily by an individual known as ‘Mark H,’ have collectively garnered over 300,000 installs [3], with the most notable extension, ‘Discord Rich Presence for VS Code,’ alone accounting for 189,000 installs [3]. According to Itay Kruk [3], co-founder of ExtensionTotal [3], these fake extensions are part of a coordinated effort to facilitate a multi-stage cryptomining operation [3], specifically utilizing the XMRig cryptominer.
The malicious extensions employ a technique that connects to external unauthorized servers via PowerShell during installation to retrieve infection scripts. These scripts are sourced from domains such as asdf11xyz and are designed to introduce legitimate-looking features alongside the malicious functionality, making it difficult for users to detect any suspicious activity. Once infected [1], a scheduled task masquerading as “OnedriveStartup” is automatically generated, ensuring that the malware persists even after system reboots. The extensions also disable critical services like Windows Update and Update Medic, while adding their storage directories to Windows Defender’s exclusion list, effectively evading detection by traditional antivirus software.
The identified extensions include: Discord Rich Presence for VS Code [3], Claude AI [2] [3], Golang Compiler [2] [3], Rust Compiler for VSCode [2] [3], ChatGPT Agent for VSCode [2] [3], HTML Obfuscator for VSCode [2] [3], Python Obfuscator for VSCode [2] [3], Prettier – Code for VSCode [2], Rojo – Roblox Studio Sync [2], and Solidity Compiler [1] [2]. Despite being published under different author names [2], these extensions share identical code and communicate with the same command and control (C2) server. The malicious extensions attempt to install a legitimate extension after the user downloads the utility [2], complicating their detection. The associated PowerShell script seeks to run with administrator permissions and [2], if unsuccessful [2], creates a new System32 directory to execute its malicious DLL [2], MLANG.dll [2]. This script contains the Trojan executable as a base64 encoded string [2], which it decodes and writes as Launcher.exe to a directory excluded from Windows Defender monitoring [2]. The Launcher.exe then communicates with another C2 server [2], myaunetsu [2], to download and execute the XMRig tool for mining Monero [2].
The presence of these malicious extensions highlights that a high number of installs does not equate to safety. They remain active and pose a significant threat to developers using VSCode, underscoring the need for users to be vigilant about suspicious script executions, registry changes, and the disabling of Windows Update services. Developers are advised to exercise caution and limit the installation of extensions to those that are absolutely necessary to mitigate risks.
Conclusion
The discovery of these malicious extensions underscores the ongoing threat posed by cryptojacking campaigns to software developers. It is crucial for users to remain vigilant and cautious when installing extensions, ensuring they are sourced from reputable developers. Regular monitoring for unusual activities, such as unauthorized script executions and changes to system settings, is essential. Moving forward, enhanced security measures and awareness can help mitigate the risks associated with such threats, safeguarding the integrity of development environments.
References
[1] https://www.hendryadrian.com/malicious-vscode-extensions-infect-windows-with-cryptominers/
[2] https://www.csoonline.com/article/3956464/warning-to-developers-stay-away-from-these-10-vscode-extensions.html
[3] https://www.infosecurity-magazine.com/news/microsoft-vs-code-cryptojacking/
